In this guide we explain How to Install Shibboleth SSO on Ubuntu 20.04.
What is Shibboleth Server?
Shibboleth is a single sign on and log in solution for computer networks and the Internet. It allows you to single sign in using just one identity to various systems run by federations of different organizations or institutions.
Shibboleth is a web based Single Sign Oninfrastructure. It is based on SAML, a standard for the exchange of authentication data.
Shibboleth leverages Active Directory, LDAP, Kerberos and extends to authentication for Users to the Cloud Apps.
It is one of the most widely used identity management software in the world. It was adopted by academic institutions, identity federations, and commercial organizations all over the world.
This post takes us through how to install Shibboleth SSO on Ubuntu 20.04.When installing Shibboleth we will have Apache Tomcat Web Server is installed.
● tomcat.service - Tomcat 9 servlet container
Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2021-11-16 10:56:34 UTC; 9min ago
Main PID: 5156 (java)
Tasks: 41 (limit: 4691)
Memory: 682.6M
CGroup: /system.slice/tomcat.service
└─5156 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.loggin>
Nov 16 10:56:34 ubuntu systemd[1]: Starting Tomcat 9 servlet container...
Nov 16 10:56:34 ubuntu startup.sh[5136]: Tomcat started.
Nov 16 10:56:34 ubuntu systemd[1]: Started Tomcat 9 servlet container.
Configure Tomcat Web Management Interface
Next part of our guide how to Install Shibboleth SSO on Ubuntu 20.04 we will need to create an admin user to access the Tomcat web interface. You can do it by editing tomcat-users.xml file:
nano /opt/tomcat/conf/tomcat-users.xml
Add the following lines above the line </tomcat-users>:
Save and close the file when you are finished.
By default, the Tomcat web interface is configured to access the Manager and Host Manager apps only from the localhost. So you will need to enable access to the web interface from the remote machine.
Next part of our guide how to Install Shibboleth SSO on Ubuntu 20.04 we will need to deploy the war file from “/opt/shibboleth-idp/war/idp.war” into Tomcat using the Tomcat manager app.
First, open your web browser and access the Tomcat using the URL http://your-server-ip:8080. You should see the following screen:
Now, click on the Manager App. You should see the authentication page:
Provide your admin username, password and click on the Sign in button. You should see the following page:
Now, scroll down and type “/opt/shibboleth-idp/war/idp.war” inside the WAR or Directory path and click on the Deploy button to deploy the WAR file. You should see the following page.
Next, you will also need to edit the access-control.xml file and enable remote access to Shibboleth IDP:
nano /opt/shibboleth-idp/conf/access-control.xml
Add “0.0.0.0/0” to allow anyone to access the Shibboleth as shown below:
Save and close the file when you are finished. Then, restart the Tomcat service to apply the changes:
systemctl restart tomcat
Now, open your web browser and access the Shibboleth status page using the URL http://your-server-ip:8080/idp/status. If everything is fine, you should see the following page:
Configure HTTPS for Shibboleth SSO
It is recommended to enable HTTPS for Shibboleth SSO. To do so, first install the Apache package with the following command:
apt-get install apache2 -y
Next, create a directory to store the SSL certificate:
mkdir /etc/apache2/ssl
Next, generate a self signed SSL certificate using the following command:
Generating a RSA private key
...............................+++++
.....................+++++
writing new private key to 'https://net.cloudinfrastructureservices.co.uk/etc/apache2/ssl/idp.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:GJ
Locality Name (eg, city) []:JND
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITC
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:SERVER
Email Address []:admin@example.com
Next, create an SSL params file with the following command:
nano /etc/apache2/conf-available/ssl-params.conf
Add the following lines:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets Off
Save and close the file then create an Apache virtual host configuration file to host Shibboleth SSO with HTTPS:
ServerName idp.example.com
ServerAdmin admin@example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#ProxyRequests Off
Order deny,allow
Allow from all
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/idp.crt
SSLCertificateKeyFile /etc/apache2/ssl/idp.key
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
Order allow,deny
Allow from all
Save and close the file then enable the required Apache modules and activate the Apache virtual host with the following commands:
How to Install Shibboleth SSO on Ubuntu 20.04 Conclusion
In the above post, we explained how to install Shibboleth SSO with Tomcat on Ubuntu 20.04. We also explained how to secure the Shibboleth website with self signed SSL. I hope you can now easily deploy Shibboleth SSO in your organization.
I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.
41vote
Article Rating
Subscribe
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.